Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 7 articles for you...
89
security advisorydenial of servicefedoraFedora 42 uv Update 0.10.2 Denial of Service Advisory 2026-086a367966
Update uv and python-uv-build to 0.10.2. There are some minor breaking changes in uv; most users should not have to change anything. See https://github.com/astral-sh/uv/blob/0.10.2/CHANGELOG.md for details. There are no breaking changes to python-uv-build.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-086a367966 2026-02-22 00:57:35.024139+00:00 -------------------------------------------------------------------------------- Name : uv Product : Fedora 42 Version : 0.10.2 Release : 1.fc42 URL : https://github.com/astral-sh/uv Summary : An extremely fast Python package installer and resolver, written in Rust Description : An extremely fast Python package and project manager, written in Rust. Highlights: \u2022 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine, virtualenv, and more. \u2022 10-100x faster than pip. \u2022 Provides comprehensive project management, with a universal lockfile. \u2022 Runs scripts, with support for inline dependency metadata. \u2022 Installs and manages Python versions. \u2022 Runs and installs tools published as Python packages. \u2022 Includes a pip-compatible interface for a performance boost with a familiar CLI. \u2022 Supports Cargo-style workspaces for scalable projects. \u2022 Disk-space efficient, with a global cache for dependency deduplication. -------------------------------------------------------------------------------- Update Information: Update uv and python-uv-build to 0.10.2. There are some minor breaking changes in uv; most users should not have to change anything. See https://github.com/astral-sh/uv/blob/0.10.2/CHANGELOG.md for details. There are no breaking changes to python-uv-build. -------------------------------------------------------------------------------- ChangeLog: * Tue Feb 10 2026 Benjamin A. Beasley - 0.10.2-1 - Update to 0.10.2 * Tue Feb 10 2026 Benjamin A. Beasley - 0.10.1-1 - Update to 0.10.1(close RHBZ#2437188) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2438083 - CVE-2026-25727 python-uv-build: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438083 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-086a367966' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Explore Fedora 42's latest advisory on uv and python-uv-build updates, addressing a critical DoS threat efficiently.. Fedora updates, python package management, security advisory. . Severity: Important. LinuxSecurity.com Team
Feb 22, 2026
•Important
Fedora
89
security advisoryfedoraauthorization bypassFedora 42 uv Critical JSON Web Token Issue Advisory CVE-2026-25537
Update the time crate to version 0.3.47. Update the time-macros crate to version 0.2.27. Update the time-core crate to version 0.1.8. Update the num-conv crate to version 0.2.0. Update the git2 crate to version 0.20.4.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-6388b28850 2026-02-11 00:58:02.841951+00:00 -------------------------------------------------------------------------------- Name : uv Product : Fedora 42 Version : 0.9.30 Release : 2.fc42 URL : https://github.com/astral-sh/uv Summary : An extremely fast Python package installer and resolver, written in Rust Description : An extremely fast Python package and project manager, written in Rust. Highlights: \u2022 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine, virtualenv, and more. \u2022 10-100x faster than pip. \u2022 Provides comprehensive project management, with a universal lockfile. \u2022 Runs scripts, with support for inline dependency metadata. \u2022 Installs and manages Python versions. \u2022 Runs and installs tools published as Python packages. \u2022 Includes a pip-compatible interface for a performance boost with a familiar CLI. \u2022 Supports Cargo-style workspaces for scalable projects. \u2022 Disk-space efficient, with a global cache for dependency deduplication. -------------------------------------------------------------------------------- Update Information: Update the time crate to version 0.3.47. Update the time-macros crate to version 0.2.27. Update the time-core crate to version 0.1.8. Update the num-conv crate to version 0.2.0. Update the git2 crate to version 0.20.4. Update the bytes crate to version 1.11.1. Additionally, this update contains rebuilds of applications affected by security advisories: bytes: RUSTSEC-2026-0007 git2: RUSTSEC-2026-0008 jsonwebtoken: CVE-2026-25537 time: RUSTSEC-2026-0009 All applications that statically link libgit2 via the git2 Rustbindings were also rebuilt against the latest version of the git2 / libgit2-sys crates to pull in fixes included in libgit2 between v1.8.1 and v1.9.2. -------------------------------------------------------------------------------- ChangeLog: * Sun Feb 8 2026 Benjamin A. Beasley - 0.9.30-2 - Rebuilt with jsonwebtoken patched for CVE-2026-25537 - Fixes RHBZ#2437472; fixes RHBZ#2437467; fixes RHBZ#2437461 * Thu Feb 5 2026 Benjamin A. Beasley - 0.9.30-1 - Update to 0.9.30 (close RHBZ#2437002) * Wed Feb 4 2026 Benjamin A. Beasley - 0.9.29-1 - Update to 0.9.29 (close RHBZ#2436550) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2437465 - CVE-2026-25537 rust-jsonwebtoken: jsonwebtoken has Type Confusion that leads to potential authorization bypass [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2437465 [ 2 ] Bug #2437467 - CVE-2026-25537 uv: jsonwebtoken has Type Confusion that leads to potential authorization bypass [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2437467 [ 3 ] Bug #2438046 - CVE-2026-25727 atuin: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438046 [ 4 ] Bug #2438075 - CVE-2026-25727 keylime-agent-rust: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438075 [ 5 ] Bug #2438077 - CVE-2026-25727 maturin: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438077 [ 6 ] Bug #2438086 - CVE-2026-25727 rustup: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438086 [ 7 ] Bug #2438091 - CVE-2026-25727 tbtools: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438091 [ 8 ] Bug #2438097 - CVE-2026-25727 tuigreet: timeaffected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438097 [ 9 ] Bug #2438098 - CVE-2026-25727 uv: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438098 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-6388b28850' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . This advisory discusses important security fixes for Fedora 42 related to the uv package and associated vulnerabilities.. security advisory, Fedora 42, uv package, Rust vulnerabilities. . Severity: Critical. LinuxSecurity.com Team
Feb 11, 2026
•Critical
Fedora
89
security advisoryfedoraDoSFedora 41: uv Python Package Update 2025-00e5b3d89c Critical DoS Advisory
uv / python-uv-build 0.9.7 https://github.com/astral-sh/uv/releases/tag/0.9.7 0.9.6 This release contains an upgrade to Astral's fork of async_zip, which addresses. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-00e5b3d89c 2025-11-15 01:40:44.715697+00:00 -------------------------------------------------------------------------------- Name : uv Product : Fedora 41 Version : 0.9.7 Release : 2.fc41 URL : https://github.com/astral-sh/uv Summary : An extremely fast Python package installer and resolver, written in Rust Description : An extremely fast Python package installer and resolver, written in Rust. Designed as a drop-in replacement for common pip and pip-tools workflows. Highlights: \u2022 \u2696\ufe0f Drop-in replacement for common pip, pip-tools, and virtualenv commands. \u2022 \u26a1\ufe0f 10-100x faster than pip and pip-tools (pip-compile and pip-sync). \u2022 \U0001f4be Disk-space efficient, with a global cache for dependency deduplication. \u2022 \U0001f40d Installable via curl, pip, pipx, etc. uv is a static binary that can be installed without Rust or Python. \u2022 \U0001f9ea Tested at-scale against the top 10,000 PyPI packages. \u2022 \U0001f5a5\ufe0f Support for macOS, Linux, and Windows. \u2022 \U0001f9f0 Advanced features such as dependency version overrides and alternative resolution strategies. \u2022 \u2049\ufe0f Best-in-class error messages with a conflict-tracking resolver. \u2022 \U0001f91d Support for a wide range of advanced pip features, including editable installs, Git dependencies, direct URL dependencies, local dependencies, constraints, source distributions, HTML and JSON indexes, and more. -------------------------------------------------------------------------------- Update Information: uv / python-uv-build 0.9.7 https://github.com/astral-sh/uv/releases/tag/0.9.7 0.9.6 This release contains an upgrade to Astral's fork of async_zip, whichaddresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See GHSA-pqhf-p39g-3x64 for additional details. https://github.com/astral-sh/uv/releases/tag/0.9.6 ruff 0.14.3 https://github.com/astral-sh/ruff/releases/tag/0.14.3 Update rust-get-size2/rust-get-size-derive2 to 0.7.1 (implement GetSize for RefCell). Update rust-reqsign to 0.18.1 and rust-reqsign-* to 2.0.1. Update rust-regex to 1.12.2 and rust-regex-automata to 0.4.13. -------------------------------------------------------------------------------- ChangeLog: * Sun Nov 2 2025 Benjamin A. Beasley - 0.9.7-2 - Allow spdx 0.12 * Fri Oct 31 2025 Benjamin A. Beasley - 0.9.7-1 - Update to 0.9.7 (close RHBZ#2408776) * Thu Oct 30 2025 Benjamin A. Beasley - 0.9.6-1 - Update to 0.9.6 (close RHBZ#2407283) * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-6 - Remove a few more now-unnecessary test skips * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-5 - Consolidate ppc64le/s390x skips for the same test * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-4 - Remove python_list::python_list* test skips that no longer fail * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-3 - Skip a test that is flaky on ppc64le -------------------------------------------------------------------------------- References: [ 1 ] Bug #2403244 - rust-regex-1.12.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2403244 [ 2 ] Bug #2403245 - rust-regex-automata-0.4.13 is available https://bugzilla.redhat.com/show_bug.cgi?id=2403245 [ 3 ] Bug #2406419 - rust-get-size2-0.7.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406419 [ 4 ] Bug #2406420 - rust-get-size-derive2-0.7.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406420 [ 5 ] Bug #2411978 - rust-reqsign-core-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411978 [ 6 ] Bug #2411979 - rust-reqsign-command-execute-tokio-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411979 [ 7 ] Bug #2411980 - rust-reqsign-aws-v4-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411980 [ 8 ] Bug #2411981 - rust-reqsign-0.18.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411981 [ 9 ] Bug #2411982 - rust-reqsign-http-send-reqwest-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411982 [ 10 ] Bug #2411983 - rust-reqsign-file-read-tokio-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411983 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-00e5b3d89c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Fedora 41 uv update addresses ZIP parsing issues with new features for Python packaging.. Fedora security advisory, uv package update, Python package installer. . Severity: Important. LinuxSecurity.com Team
Nov 15, 2025
•Important
Fedora
89
security advisoryfedoracriticalFedora 42: uv Critical ZIP Parsing Issue Update 2025-e60a4ba4d7
uv / python-uv-build 0.9.7 https://github.com/astral-sh/uv/releases/tag/0.9.7 0.9.6 This release contains an upgrade to Astral's fork of async_zip, which addresses. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-e60a4ba4d7 2025-11-15 01:30:31.747715+00:00 -------------------------------------------------------------------------------- Name : uv Product : Fedora 42 Version : 0.9.7 Release : 2.fc42 URL : https://github.com/astral-sh/uv Summary : An extremely fast Python package installer and resolver, written in Rust Description : An extremely fast Python package installer and resolver, written in Rust. Designed as a drop-in replacement for common pip and pip-tools workflows. Highlights: \u2022 \u2696\ufe0f Drop-in replacement for common pip, pip-tools, and virtualenv commands. \u2022 \u26a1\ufe0f 10-100x faster than pip and pip-tools (pip-compile and pip-sync). \u2022 \U0001f4be Disk-space efficient, with a global cache for dependency deduplication. \u2022 \U0001f40d Installable via curl, pip, pipx, etc. uv is a static binary that can be installed without Rust or Python. \u2022 \U0001f9ea Tested at-scale against the top 10,000 PyPI packages. \u2022 \U0001f5a5\ufe0f Support for macOS, Linux, and Windows. \u2022 \U0001f9f0 Advanced features such as dependency version overrides and alternative resolution strategies. \u2022 \u2049\ufe0f Best-in-class error messages with a conflict-tracking resolver. \u2022 \U0001f91d Support for a wide range of advanced pip features, including editable installs, Git dependencies, direct URL dependencies, local dependencies, constraints, source distributions, HTML and JSON indexes, and more. -------------------------------------------------------------------------------- Update Information: uv / python-uv-build 0.9.7 https://github.com/astral-sh/uv/releases/tag/0.9.7 0.9.6 This release contains an upgrade to Astral's fork of async_zip, whichaddresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See GHSA-pqhf-p39g-3x64 for additional details. https://github.com/astral-sh/uv/releases/tag/0.9.6 ruff 0.14.3 https://github.com/astral-sh/ruff/releases/tag/0.14.3 Update rust-get-size2/rust-get-size-derive2 to 0.7.1 (implement GetSize for RefCell). Update rust-reqsign to 0.18.1 and rust-reqsign-* to 2.0.1. Update rust-regex to 1.12.2 and rust-regex-automata to 0.4.13. -------------------------------------------------------------------------------- ChangeLog: * Sun Nov 2 2025 Benjamin A. Beasley - 0.9.7-2 - Allow spdx 0.12 * Fri Oct 31 2025 Benjamin A. Beasley - 0.9.7-1 - Update to 0.9.7 (close RHBZ#2408776) * Thu Oct 30 2025 Benjamin A. Beasley - 0.9.6-1 - Update to 0.9.6 (close RHBZ#2407283) * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-6 - Remove a few more now-unnecessary test skips * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-5 - Consolidate ppc64le/s390x skips for the same test * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-4 - Remove python_list::python_list* test skips that no longer fail * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-3 - Skip a test that is flaky on ppc64le -------------------------------------------------------------------------------- References: [ 1 ] Bug #2403244 - rust-regex-1.12.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2403244 [ 2 ] Bug #2403245 - rust-regex-automata-0.4.13 is available https://bugzilla.redhat.com/show_bug.cgi?id=2403245 [ 3 ] Bug #2406419 - rust-get-size2-0.7.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406419 [ 4 ] Bug #2406420 - rust-get-size-derive2-0.7.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406420 [ 5 ] Bug #2411978 - rust-reqsign-core-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411978 [ 6 ] Bug #2411979 - rust-reqsign-command-execute-tokio-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411979 [ 7 ] Bug #2411980 - rust-reqsign-aws-v4-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411980 [ 8 ] Bug #2411981 - rust-reqsign-0.18.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411981 [ 9 ] Bug #2411982 - rust-reqsign-http-send-reqwest-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411982 [ 10 ] Bug #2411983 - rust-reqsign-file-read-tokio-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411983 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-e60a4ba4d7' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Critical update for uv in Fedora 42 addresses ZIP parsing issues and enhances package installation speed.. python package installer, Fedora update, async zip vulnerabilities. . Severity: Critical. LinuxSecurity.com Team
Nov 15, 2025
•Critical
Fedora
89
security advisoryfedoraupdateFedora 43 uv Update 2025-4154ea83d0: Security Advisory for Fast Installer
uv / python-uv-build 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md Pydantic 2.12.3. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-4154ea83d0 2025-11-05 02:09:57.817569+00:00 -------------------------------------------------------------------------------- Name : uv Product : Fedora 43 Version : 0.9.5 Release : 1.fc43 URL : https://github.com/astral-sh/uv Summary : An extremely fast Python package installer and resolver, written in Rust Description : An extremely fast Python package installer and resolver, written in Rust. Designed as a drop-in replacement for common pip and pip-tools workflows. Highlights: \u2022 \u2696\ufe0f Drop-in replacement for common pip, pip-tools, and virtualenv commands. \u2022 \u26a1\ufe0f 10-100x faster than pip and pip-tools (pip-compile and pip-sync). \u2022 \U0001f4be Disk-space efficient, with a global cache for dependency deduplication. \u2022 \U0001f40d Installable via curl, pip, pipx, etc. uv is a static binary that can be installed without Rust or Python. \u2022 \U0001f9ea Tested at-scale against the top 10,000 PyPI packages. \u2022 \U0001f5a5\ufe0f Support for macOS, Linux, and Windows. \u2022 \U0001f9f0 Advanced features such as dependency version overrides and alternative resolution strategies. \u2022 \u2049\ufe0f Best-in-class error messages with a conflict-tracking resolver. \u2022 \U0001f91d Support for a wide range of advanced pip features, including editable installs, Git dependencies, direct URL dependencies, local dependencies, constraints, source distributions, HTML and JSON indexes, and more. -------------------------------------------------------------------------------- Update Information: uv / python-uv-build 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md ruff0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md Pydantic 2.12.3 Blog post maturin 1.9.6 https://github.com/PyO3/maturin/blob/v1.9.6/Changelog.md python-typing-inspection 0.4.2 (2025-10-01) Add typing_objects.is_noextraitems() python-jiter 0.11.0 https://github.com/pydantic/jiter/releases/tag/v0.11.0 python-pydantic-extra-types 2.10.6 https://github.com/pydantic/pydantic-extra-types/releases/tag/v2.10.6 Typer 0.20.0 Features \u2728 Enable command suggestions on typo by default. Upgrades \u2b06\ufe0f Add (official) support for Python 3.14. Internal Assorted small enhancements. FastAPI 0.120.1 Upgrades \u2b06\ufe0f Bump Starlette to
Nov 05, 2025
•Important
Fedora
89
security advisoryfedorasecurity fixFedora 42: uv 0.9.5 Important Security Fix CVE-2025-62518
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-a77c1f005b 2025-11-03 01:05:58.219415+00:00 -------------------------------------------------------------------------------- Name : uv Product : Fedora 42 Version : 0.9.5 Release : 1.fc42 URL : https://github.com/astral-sh/uv Summary : An extremely fast Python package installer and resolver, written in Rust Description : An extremely fast Python package installer and resolver, written in Rust. Designed as a drop-in replacement for common pip and pip-tools workflows. Highlights: \u2022 \u2696\ufe0f Drop-in replacement for common pip, pip-tools, and virtualenv commands. \u2022 \u26a1\ufe0f 10-100x faster than pip and pip-tools (pip-compile and pip-sync). \u2022 \U0001f4be Disk-space efficient, with a global cache for dependency deduplication. \u2022 \U0001f40d Installable via curl, pip, pipx, etc. uv is a static binary that can be installed without Rust or Python. \u2022 \U0001f9ea Tested at-scale against the top 10,000 PyPI packages. \u2022 \U0001f5a5\ufe0f Support for macOS, Linux, and Windows. \u2022 \U0001f9f0 Advanced features such as dependency version overrides and alternative resolution strategies. \u2022 \u2049\ufe0f Best-in-class error messages with a conflict-tracking resolver. \u2022 \U0001f91d Support for a wide range of advanced pip features, including editable installs, Git dependencies, direct URL dependencies, local dependencies, constraints, source distributions, HTML and JSON indexes, and more. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fixfor CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1 Update openapi-python-client to 0.26.2 and patch it to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.5-1 - Update to 0.9.5 (close RHBZ#2402923) * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.4-1 - Update to 0.9.4 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.3-1 - Update to 0.9.3 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.2-1 - Update to 0.9.2 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.1-1 - Update to 0.9.1 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.0-1 - Update to 0.9.0 * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-4 - Try to work around \u201ctoo many open files\u201d on 192-core builders * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-3 - Revert "Allow hashbrown 0.15 (for EPEL10.1)" * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-2 - Allow hashbrown 0.15 (for EPEL10.1) * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.24-1 - Update to 0.8.24 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.23-1 - Update to 0.8.23 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.22-1 - Update to 0.8.22 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.21-1 - Update to 0.8.21 * Thu Oct 16 2025 Gordon Messmer - 0.8.20-2 - Use rpm's native resource tunable to limit parallelism. * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.20-1 - Update to 0.8.20 (close RHBZ#2389326) * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.19-1 - Update to 0.8.19 * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.18-1 - Update to 0.8.18 * Sun Sep28 2025 Benjamin A. Beasley - 0.8.17-1 - Update to 0.8.17 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.16-1 - Update to 0.8.16 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.15-1 - Update to 0.8.15 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.14-1 - Update to 0.8.14 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.13-1 - Update to 0.8.13 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.12-1 - Update to 0.8.12 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.11-5 - Use the bundled reqwest-middleware, too -------------------------------------------------------------------------------- References: [ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405474 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405474 [ 8 ] Bug #2405476 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405476 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a77c1f005b' at the command line. For more information, refer tothe dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Addressing CVE-2025-62518, this advisory covers a critical security fix for Fedora 42's uv package.. Fedora Update, security fix, UV package, CVE-2025-62518, important advisory. . Severity: Important. LinuxSecurity.com Team
Nov 03, 2025
•Important
Fedora
89
security advisoryfedoracriticalFedora 41: uv Critical CVE-2025-62518 Parser Desynchronization Fix
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-43a0bff5ea 2025-11-03 01:00:54.501352+00:00 -------------------------------------------------------------------------------- Name : uv Product : Fedora 41 Version : 0.9.5 Release : 1.fc41 URL : https://github.com/astral-sh/uv Summary : An extremely fast Python package installer and resolver, written in Rust Description : An extremely fast Python package installer and resolver, written in Rust. Designed as a drop-in replacement for common pip and pip-tools workflows. Highlights: \u2022 \u2696\ufe0f Drop-in replacement for common pip, pip-tools, and virtualenv commands. \u2022 \u26a1\ufe0f 10-100x faster than pip and pip-tools (pip-compile and pip-sync). \u2022 \U0001f4be Disk-space efficient, with a global cache for dependency deduplication. \u2022 \U0001f40d Installable via curl, pip, pipx, etc. uv is a static binary that can be installed without Rust or Python. \u2022 \U0001f9ea Tested at-scale against the top 10,000 PyPI packages. \u2022 \U0001f5a5\ufe0f Support for macOS, Linux, and Windows. \u2022 \U0001f9f0 Advanced features such as dependency version overrides and alternative resolution strategies. \u2022 \u2049\ufe0f Best-in-class error messages with a conflict-tracking resolver. \u2022 \U0001f91d Support for a wide range of advanced pip features, including editable installs, Git dependencies, direct URL dependencies, local dependencies, constraints, source distributions, HTML and JSON indexes, and more. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fixfor CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv. Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1. Patch openapi-python-client to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.5-1 - Update to 0.9.5 (close RHBZ#2402923) * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.4-1 - Update to 0.9.4 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.3-1 - Update to 0.9.3 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.2-1 - Update to 0.9.2 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.1-1 - Update to 0.9.1 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.0-1 - Update to 0.9.0 * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-4 - Try to work around \u201ctoo many open files\u201d on 192-core builders * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-3 - Revert "Allow hashbrown 0.15 (for EPEL10.1)" * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-2 - Allow hashbrown 0.15 (for EPEL10.1) * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.24-1 - Update to 0.8.24 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.23-1 - Update to 0.8.23 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.22-1 - Update to 0.8.22 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.21-1 - Update to 0.8.21 * Thu Oct 16 2025 Gordon Messmer - 0.8.20-2 - Use rpm's native resource tunable to limit parallelism. * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.20-1 - Update to 0.8.20 (close RHBZ#2389326) * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.19-1 - Update to 0.8.19 * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.18-1 - Update to 0.8.18 * Sun Sep 28 2025 Benjamin A.Beasley - 0.8.17-1 - Update to 0.8.17 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.16-1 - Update to 0.8.16 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.15-1 - Update to 0.8.15 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.14-1 - Update to 0.8.14 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.13-1 - Update to 0.8.13 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.12-1 - Update to 0.8.12 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.11-5 - Use the bundled reqwest-middleware, too -------------------------------------------------------------------------------- References: [ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405471 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2405471 [ 8 ] Bug #2405472 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2405472 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-43a0bff5ea' at the command line. For more information, refer to the dnf documentationavailable at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Fedora 41 update fixes critical parser meta-desynchronization in uv affecting installation workflows. Stay secure!. parser desynchronization, Python package installer, Fedora update, CVE-2025-62518. . Severity: Critical. LinuxSecurity.com Team
Nov 03, 2025
•Critical
Fedora
89
security advisoryfedorasecurity fixFedora 41: rust-manyhow Security Update CVE-2025-62518 Addressed
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-43a0bff5ea 2025-11-03 01:00:54.501352+00:00 -------------------------------------------------------------------------------- Name : rust-manyhow Product : Fedora 41 Version : 0.11.4 Release : 1.fc41 URL : https://crates.io/crates/manyhow Summary : Proc macro error handling la anyhow x proc-macro-error Description : Proc macro error handling la anyhow x proc-macro-error. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv. Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1. Patch openapi-python-client to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Sat Oct 4 2025 Benjamin A. Beasley - 0.11.4-1 - Initial package (close RHBZ#2398062) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 -rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405471 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2405471 [ 8 ] Bug #2405472 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2405472 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-43a0bff5ea' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Fedora 41 updates for rust-manyhow include security fixes for CVE-2025-62518 and parser vulnerabilities in uv packages.. rust-manyhow, Fedora, security fix, parser desynchronization, uv. . Severity: Important. LinuxSecurity.com Team
Nov 03, 2025
•Important
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!